Ubuntu
eucalyptus package

Eucalyptus CC package depends on 'vtund' process in multi-cluster mode

Bug #425928 reported by Daniel Nurmi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eucalyptus (Ubuntu)
Fix Released
Medium
Thierry Carrez

Bug Description

In order for security groups to work properly across two separate clusters (each with their own potentially unroutable subnets), the CC on each cluster uses vtund to set up layer two tunnels between the clusters. The vtun pacakge is not a depndency of eucalyptus-cc as it is not in main (could be 'suggests', as single cluster mode will function properly even if vtund is not present).

Tags: eucalyptus
Matt Zimmerman (mdz)
Changed in eucalyptus (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Thierry Carrez (ttx)
tags: added: eucalyptus
Revision history for this message
Thierry Carrez (ttx) wrote :

vtun has broken encryption support that makes it unsuitable for main (and for a secure multi-cluster support), see MIR review in bug 412059.

The workaround proposal for karmic is to ship a working but unsupported multi-cluster mode, by suggesting vtun usage in eucalyptus and leaving it in universe. There is no time left to migrate from using vtun to openvpn for proper layer-2 encrypted tunneling.

For karmic+1 this would be revisited so that multi-cluster capabilities are fully supported in main, by removing eucalyptus dependency on vtun and switching to openvpn or an IPsec implementation.

Revision history for this message
Soren Hansen (soren) wrote :

Just to get this on record:

Why is layer two tunneling needed? Does EC2 allow direct ethernet communication between instances? Is that why we're doing it? Or is this related to AoE?

Revision history for this message
Soren Hansen (soren) wrote :

My testing on EC2 suggests that direct ethernet communication across availability zone boundaries is not possible. For the record, I added an extra IP address (192.168.10.1 and .2) to eth0 on each host, and added an arp entry for the other host on each of them, and tried to ping. No luck.

Revision history for this message
Thierry Carrez (ttx) wrote :

Eucalyptus upstream said this is needed for VLAN tagging, which they use to provide network isolation for VMs between clusters.

Changed in eucalyptus (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eucalyptus - 1.6~bzr808-0ubuntu1

---------------
eucalyptus (1.6~bzr808-0ubuntu1) karmic; urgency=low

  [ Dustin Kirkland ]
  * debian/eucalyptus-udeb.finish-install: eth0 should be set to
    'manual', when configured with br0 on dhcp, LP: #430820
  * tools/euca_conf.in: ensure that /var/run/eucalyptus and
    /var/run/eucalyptus/net are created at boot and have correct
    ownerships, LP: #431114, #365349

  [ Thierry Carrez ]
  * cluster/Makefile, node/Makefile: Do not patch generated stubs if you
    didn't regenerate them, to avoid spurious build interruptions.
  * tools/eucalyptus-*.in: Do not guard initscripts basic output
    messages with VERBOSE != no (LP: #431274)
  * debian/control: Have eucalyptus-cc suggest vtun for full multi-cluster
    networking capabilities (LP: #425928)

  [ Colin Watson ]
  * Align ports used for cloud startup detection in init scripts with the
    corresponding code in euca_conf (LP: #430758).

  [ Soren Hansen ]
  * New snapshot.
  * Add a build-dependency on libc3p0-java.

 -- Soren Hansen <email address hidden> Mon, 21 Sep 2009 12:14:12 +0200

Changed in eucalyptus (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.